Indian lawmakers on Wednesday passed a data protection law that will dictate how tech companies process users’ data amid criticism that it will likely lead to increased surveillance by the government.
The law will allow companies to transfer some users’ data abroad while giving the government power to seek information from firms and issue directions to block content on the advice of a data protection board appointed by the federal government.
The Digital Personal Data Protection Bill, 2023 gives the government powers to exempt state agencies from the law and gives users the right to correct or erase their personal data.
The new legislation comes after India withdrew a 2019 privacy bill that had alarmed tech companies like Facebook and Google with its proposals for stringent restrictions on cross-border data flows.
The law proposes penalties of up to 2.5 billion rupees ($30 million) for violations and non-compliance.
However, it has drawn criticism from opposition lawmakers and rights groups over the scope of exemptions.
The Internet Freedom Foundation, a digital rights group, has also said that the law does not contain any meaningful safeguards against “over-broad surveillance”, while the Editors Guild of India has said it affects press freedom and dilutes the Right to Information law.
Deputy minister for information technology Rajeev Chandrasekhar has said that the law will protect the rights of all citizens, allow the innovation economy to expand, and permit the government legitimate access in the case of national security and emergencies like pandemics and earthquakes.